1 // SPDX-License-Identifier: GPL-2.0+
2 /* Copyright (c) 2015-2016 Quantenna Communications. All rights reserved. */
3 
4 #include <linux/kernel.h>
5 #include <linux/module.h>
6 #include <linux/slab.h>
7 #include <linux/nospec.h>
8 
9 #include "cfg80211.h"
10 #include "core.h"
11 #include "qlink.h"
12 #include "bus.h"
13 #include "trans.h"
14 #include "util.h"
15 #include "event.h"
16 #include "qlink_util.h"
17 
18 static int
19 qtnf_event_handle_sta_assoc(struct qtnf_wmac *mac, struct qtnf_vif *vif,
20 			    const struct qlink_event_sta_assoc *sta_assoc,
21 			    u16 len)
22 {
23 	const u8 *sta_addr;
24 	u16 frame_control;
25 	struct station_info *sinfo;
26 	size_t payload_len;
27 	u16 tlv_type;
28 	u16 tlv_value_len;
29 	const struct qlink_tlv_hdr *tlv;
30 	int ret = 0;
31 
32 	if (unlikely(len < sizeof(*sta_assoc))) {
33 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
34 		       mac->macid, vif->vifid, len, sizeof(*sta_assoc));
35 		return -EINVAL;
36 	}
37 
38 	if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
39 		pr_err("VIF%u.%u: STA_ASSOC event when not in AP mode\n",
40 		       mac->macid, vif->vifid);
41 		return -EPROTO;
42 	}
43 
44 	sinfo = kzalloc(sizeof(*sinfo), GFP_KERNEL);
45 	if (!sinfo)
46 		return -ENOMEM;
47 
48 	sta_addr = sta_assoc->sta_addr;
49 	frame_control = le16_to_cpu(sta_assoc->frame_control);
50 
51 	pr_debug("VIF%u.%u: MAC:%pM FC:%x\n", mac->macid, vif->vifid, sta_addr,
52 		 frame_control);
53 
54 	qtnf_sta_list_add(vif, sta_addr);
55 
56 	sinfo->assoc_req_ies = NULL;
57 	sinfo->assoc_req_ies_len = 0;
58 	sinfo->generation = vif->generation;
59 
60 	payload_len = len - sizeof(*sta_assoc);
61 
62 	qlink_for_each_tlv(tlv, sta_assoc->ies, payload_len) {
63 		tlv_type = le16_to_cpu(tlv->type);
64 		tlv_value_len = le16_to_cpu(tlv->len);
65 
66 		if (tlv_type == QTN_TLV_ID_IE_SET) {
67 			const struct qlink_tlv_ie_set *ie_set;
68 			unsigned int ie_len;
69 
70 			if (tlv_value_len <
71 			    (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
72 				ret = -EINVAL;
73 				goto out;
74 			}
75 
76 			ie_set = (const struct qlink_tlv_ie_set *)tlv;
77 			ie_len = tlv_value_len -
78 				(sizeof(*ie_set) - sizeof(ie_set->hdr));
79 
80 			if (ie_set->type == QLINK_IE_SET_ASSOC_REQ && ie_len) {
81 				sinfo->assoc_req_ies = ie_set->ie_data;
82 				sinfo->assoc_req_ies_len = ie_len;
83 			}
84 		}
85 	}
86 
87 	if (!qlink_tlv_parsing_ok(tlv, sta_assoc->ies, payload_len)) {
88 		pr_err("Malformed TLV buffer\n");
89 		ret = -EINVAL;
90 		goto out;
91 	}
92 
93 	cfg80211_new_sta(vif->netdev, sta_assoc->sta_addr, sinfo,
94 			 GFP_KERNEL);
95 
96 out:
97 	kfree(sinfo);
98 	return ret;
99 }
100 
101 static int
102 qtnf_event_handle_sta_deauth(struct qtnf_wmac *mac, struct qtnf_vif *vif,
103 			     const struct qlink_event_sta_deauth *sta_deauth,
104 			     u16 len)
105 {
106 	const u8 *sta_addr;
107 	u16 reason;
108 
109 	if (unlikely(len < sizeof(*sta_deauth))) {
110 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
111 		       mac->macid, vif->vifid, len,
112 		       sizeof(struct qlink_event_sta_deauth));
113 		return -EINVAL;
114 	}
115 
116 	if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
117 		pr_err("VIF%u.%u: STA_DEAUTH event when not in AP mode\n",
118 		       mac->macid, vif->vifid);
119 		return -EPROTO;
120 	}
121 
122 	sta_addr = sta_deauth->sta_addr;
123 	reason = le16_to_cpu(sta_deauth->reason);
124 
125 	pr_debug("VIF%u.%u: MAC:%pM reason:%x\n", mac->macid, vif->vifid,
126 		 sta_addr, reason);
127 
128 	if (qtnf_sta_list_del(vif, sta_addr))
129 		cfg80211_del_sta(vif->netdev, sta_deauth->sta_addr,
130 				 GFP_KERNEL);
131 
132 	return 0;
133 }
134 
135 static int
136 qtnf_event_handle_bss_join(struct qtnf_vif *vif,
137 			   const struct qlink_event_bss_join *join_info,
138 			   u16 len)
139 {
140 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
141 	enum ieee80211_statuscode status = le16_to_cpu(join_info->status);
142 	struct cfg80211_chan_def chandef;
143 	struct cfg80211_bss *bss = NULL;
144 	u8 *ie = NULL;
145 	size_t payload_len;
146 	u16 tlv_type;
147 	u16 tlv_value_len;
148 	const struct qlink_tlv_hdr *tlv;
149 	const u8 *rsp_ies = NULL;
150 	size_t rsp_ies_len = 0;
151 
152 	if (unlikely(len < sizeof(*join_info))) {
153 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
154 		       vif->mac->macid, vif->vifid, len,
155 		       sizeof(struct qlink_event_bss_join));
156 		return -EINVAL;
157 	}
158 
159 	if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
160 		pr_err("VIF%u.%u: BSS_JOIN event when not in STA mode\n",
161 		       vif->mac->macid, vif->vifid);
162 		return -EPROTO;
163 	}
164 
165 	pr_debug("VIF%u.%u: BSSID:%pM chan:%u status:%u\n",
166 		 vif->mac->macid, vif->vifid, join_info->bssid,
167 		 le16_to_cpu(join_info->chan.chan.center_freq), status);
168 
169 	if (status != WLAN_STATUS_SUCCESS)
170 		goto done;
171 
172 	qlink_chandef_q2cfg(wiphy, &join_info->chan, &chandef);
173 	if (!cfg80211_chandef_valid(&chandef)) {
174 		pr_warn("MAC%u.%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
175 			vif->mac->macid, vif->vifid,
176 			chandef.chan ? chandef.chan->center_freq : 0,
177 			chandef.center_freq1,
178 			chandef.center_freq2,
179 			chandef.width);
180 		status = WLAN_STATUS_UNSPECIFIED_FAILURE;
181 		goto done;
182 	}
183 
184 	bss = cfg80211_get_bss(wiphy, chandef.chan, join_info->bssid,
185 			       NULL, 0, IEEE80211_BSS_TYPE_ESS,
186 			       IEEE80211_PRIVACY_ANY);
187 	if (!bss) {
188 		pr_warn("VIF%u.%u: add missing BSS:%pM chan:%u\n",
189 			vif->mac->macid, vif->vifid,
190 			join_info->bssid, chandef.chan->hw_value);
191 
192 		if (!vif->wdev.ssid_len) {
193 			pr_warn("VIF%u.%u: SSID unknown for BSS:%pM\n",
194 				vif->mac->macid, vif->vifid,
195 				join_info->bssid);
196 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
197 			goto done;
198 		}
199 
200 		ie = kzalloc(2 + vif->wdev.ssid_len, GFP_KERNEL);
201 		if (!ie) {
202 			pr_warn("VIF%u.%u: IE alloc failed for BSS:%pM\n",
203 				vif->mac->macid, vif->vifid,
204 				join_info->bssid);
205 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
206 			goto done;
207 		}
208 
209 		ie[0] = WLAN_EID_SSID;
210 		ie[1] = vif->wdev.ssid_len;
211 		memcpy(ie + 2, vif->wdev.ssid, vif->wdev.ssid_len);
212 
213 		bss = cfg80211_inform_bss(wiphy, chandef.chan,
214 					  CFG80211_BSS_FTYPE_UNKNOWN,
215 					  join_info->bssid, 0,
216 					  WLAN_CAPABILITY_ESS, 100,
217 					  ie, 2 + vif->wdev.ssid_len,
218 					  0, GFP_KERNEL);
219 		if (!bss) {
220 			pr_warn("VIF%u.%u: can't connect to unknown BSS: %pM\n",
221 				vif->mac->macid, vif->vifid,
222 				join_info->bssid);
223 			status = WLAN_STATUS_UNSPECIFIED_FAILURE;
224 			goto done;
225 		}
226 	}
227 
228 	payload_len = len - sizeof(*join_info);
229 
230 	qlink_for_each_tlv(tlv, join_info->ies, payload_len) {
231 		tlv_type = le16_to_cpu(tlv->type);
232 		tlv_value_len = le16_to_cpu(tlv->len);
233 
234 		if (tlv_type == QTN_TLV_ID_IE_SET) {
235 			const struct qlink_tlv_ie_set *ie_set;
236 			unsigned int ie_len;
237 
238 			if (tlv_value_len <
239 			    (sizeof(*ie_set) - sizeof(ie_set->hdr))) {
240 				pr_warn("invalid IE_SET TLV\n");
241 				status = WLAN_STATUS_UNSPECIFIED_FAILURE;
242 				goto done;
243 			}
244 
245 			ie_set = (const struct qlink_tlv_ie_set *)tlv;
246 			ie_len = tlv_value_len -
247 				(sizeof(*ie_set) - sizeof(ie_set->hdr));
248 
249 			switch (ie_set->type) {
250 			case QLINK_IE_SET_ASSOC_RESP:
251 				if (ie_len) {
252 					rsp_ies = ie_set->ie_data;
253 					rsp_ies_len = ie_len;
254 				}
255 				break;
256 			default:
257 				pr_warn("unexpected IE type: %u\n",
258 					ie_set->type);
259 				break;
260 			}
261 		}
262 	}
263 
264 	if (!qlink_tlv_parsing_ok(tlv, join_info->ies, payload_len))
265 		pr_warn("Malformed TLV buffer\n");
266 done:
267 	cfg80211_connect_result(vif->netdev, join_info->bssid, NULL, 0, rsp_ies,
268 				rsp_ies_len, status, GFP_KERNEL);
269 	if (bss) {
270 		if (!ether_addr_equal(vif->bssid, join_info->bssid))
271 			ether_addr_copy(vif->bssid, join_info->bssid);
272 		cfg80211_put_bss(wiphy, bss);
273 	}
274 
275 	if (status == WLAN_STATUS_SUCCESS)
276 		netif_carrier_on(vif->netdev);
277 
278 	kfree(ie);
279 	return 0;
280 }
281 
282 static int
283 qtnf_event_handle_bss_leave(struct qtnf_vif *vif,
284 			    const struct qlink_event_bss_leave *leave_info,
285 			    u16 len)
286 {
287 	if (unlikely(len < sizeof(*leave_info))) {
288 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
289 		       vif->mac->macid, vif->vifid, len,
290 		       sizeof(struct qlink_event_bss_leave));
291 		return -EINVAL;
292 	}
293 
294 	if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
295 		pr_err("VIF%u.%u: BSS_LEAVE event when not in STA mode\n",
296 		       vif->mac->macid, vif->vifid);
297 		return -EPROTO;
298 	}
299 
300 	pr_debug("VIF%u.%u: disconnected\n", vif->mac->macid, vif->vifid);
301 
302 	cfg80211_disconnected(vif->netdev, le16_to_cpu(leave_info->reason),
303 			      NULL, 0, 0, GFP_KERNEL);
304 	netif_carrier_off(vif->netdev);
305 
306 	return 0;
307 }
308 
309 static int
310 qtnf_event_handle_mgmt_received(struct qtnf_vif *vif,
311 				const struct qlink_event_rxmgmt *rxmgmt,
312 				u16 len)
313 {
314 	const size_t min_len = sizeof(*rxmgmt) +
315 			       sizeof(struct ieee80211_hdr_3addr);
316 	const struct ieee80211_hdr_3addr *frame = (void *)rxmgmt->frame_data;
317 	const u16 frame_len = len - sizeof(*rxmgmt);
318 	enum nl80211_rxmgmt_flags flags = 0;
319 
320 	if (unlikely(len < min_len)) {
321 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
322 		       vif->mac->macid, vif->vifid, len, min_len);
323 		return -EINVAL;
324 	}
325 
326 	if (le32_to_cpu(rxmgmt->flags) & QLINK_RXMGMT_FLAG_ANSWERED)
327 		flags |= NL80211_RXMGMT_FLAG_ANSWERED;
328 
329 	pr_debug("%s LEN:%u FC:%.4X SA:%pM\n", vif->netdev->name, frame_len,
330 		 le16_to_cpu(frame->frame_control), frame->addr2);
331 
332 	cfg80211_rx_mgmt(&vif->wdev, le32_to_cpu(rxmgmt->freq), rxmgmt->sig_dbm,
333 			 rxmgmt->frame_data, frame_len, flags);
334 
335 	return 0;
336 }
337 
338 static int
339 qtnf_event_handle_scan_results(struct qtnf_vif *vif,
340 			       const struct qlink_event_scan_result *sr,
341 			       u16 len)
342 {
343 	struct cfg80211_bss *bss;
344 	struct ieee80211_channel *channel;
345 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
346 	enum cfg80211_bss_frame_type frame_type = CFG80211_BSS_FTYPE_UNKNOWN;
347 	size_t payload_len;
348 	u16 tlv_type;
349 	u16 tlv_value_len;
350 	const struct qlink_tlv_hdr *tlv;
351 	const u8 *ies = NULL;
352 	size_t ies_len = 0;
353 
354 	if (len < sizeof(*sr)) {
355 		pr_err("VIF%u.%u: payload is too short\n", vif->mac->macid,
356 		       vif->vifid);
357 		return -EINVAL;
358 	}
359 
360 	channel = ieee80211_get_channel(wiphy, le16_to_cpu(sr->freq));
361 	if (!channel) {
362 		pr_err("VIF%u.%u: channel at %u MHz not found\n",
363 		       vif->mac->macid, vif->vifid, le16_to_cpu(sr->freq));
364 		return -EINVAL;
365 	}
366 
367 	payload_len = len - sizeof(*sr);
368 
369 	qlink_for_each_tlv(tlv, sr->payload, payload_len) {
370 		tlv_type = le16_to_cpu(tlv->type);
371 		tlv_value_len = le16_to_cpu(tlv->len);
372 
373 		if (tlv_type == QTN_TLV_ID_IE_SET) {
374 			const struct qlink_tlv_ie_set *ie_set;
375 			unsigned int ie_len;
376 
377 			if (tlv_value_len <
378 			    (sizeof(*ie_set) - sizeof(ie_set->hdr)))
379 				return -EINVAL;
380 
381 			ie_set = (const struct qlink_tlv_ie_set *)tlv;
382 			ie_len = tlv_value_len -
383 				(sizeof(*ie_set) - sizeof(ie_set->hdr));
384 
385 			switch (ie_set->type) {
386 			case QLINK_IE_SET_BEACON_IES:
387 				frame_type = CFG80211_BSS_FTYPE_BEACON;
388 				break;
389 			case QLINK_IE_SET_PROBE_RESP_IES:
390 				frame_type = CFG80211_BSS_FTYPE_PRESP;
391 				break;
392 			default:
393 				frame_type = CFG80211_BSS_FTYPE_UNKNOWN;
394 			}
395 
396 			if (ie_len) {
397 				ies = ie_set->ie_data;
398 				ies_len = ie_len;
399 			}
400 		}
401 	}
402 
403 	if (!qlink_tlv_parsing_ok(tlv, sr->payload, payload_len))
404 		return -EINVAL;
405 
406 	bss = cfg80211_inform_bss(wiphy, channel, frame_type,
407 				  sr->bssid, get_unaligned_le64(&sr->tsf),
408 				  le16_to_cpu(sr->capab),
409 				  le16_to_cpu(sr->bintval), ies, ies_len,
410 				  DBM_TO_MBM(sr->sig_dbm), GFP_KERNEL);
411 	if (!bss)
412 		return -ENOMEM;
413 
414 	cfg80211_put_bss(wiphy, bss);
415 
416 	return 0;
417 }
418 
419 static int
420 qtnf_event_handle_scan_complete(struct qtnf_wmac *mac,
421 				const struct qlink_event_scan_complete *status,
422 				u16 len)
423 {
424 	if (len < sizeof(*status)) {
425 		pr_err("MAC%u: payload is too short\n", mac->macid);
426 		return -EINVAL;
427 	}
428 
429 	qtnf_scan_done(mac, le32_to_cpu(status->flags) & QLINK_SCAN_ABORTED);
430 
431 	return 0;
432 }
433 
434 static int
435 qtnf_event_handle_freq_change(struct qtnf_wmac *mac,
436 			      const struct qlink_event_freq_change *data,
437 			      u16 len)
438 {
439 	struct wiphy *wiphy = priv_to_wiphy(mac);
440 	struct cfg80211_chan_def chandef;
441 	struct qtnf_vif *vif;
442 	int i;
443 
444 	if (len < sizeof(*data)) {
445 		pr_err("MAC%u: payload is too short\n", mac->macid);
446 		return -EINVAL;
447 	}
448 
449 	if (!wiphy->registered)
450 		return 0;
451 
452 	qlink_chandef_q2cfg(wiphy, &data->chan, &chandef);
453 
454 	if (!cfg80211_chandef_valid(&chandef)) {
455 		pr_err("MAC%u: bad channel freq=%u cf1=%u cf2=%u bw=%u\n",
456 		       mac->macid, chandef.chan->center_freq,
457 		       chandef.center_freq1, chandef.center_freq2,
458 		       chandef.width);
459 		return -EINVAL;
460 	}
461 
462 	pr_debug("MAC%d: new channel ieee=%u freq1=%u freq2=%u bw=%u\n",
463 		 mac->macid, chandef.chan->hw_value, chandef.center_freq1,
464 		 chandef.center_freq2, chandef.width);
465 
466 	for (i = 0; i < QTNF_MAX_INTF; i++) {
467 		vif = &mac->iflist[i];
468 
469 		if (vif->wdev.iftype == NL80211_IFTYPE_UNSPECIFIED)
470 			continue;
471 
472 		if (vif->wdev.iftype == NL80211_IFTYPE_STATION &&
473 		    !vif->wdev.current_bss)
474 			continue;
475 
476 		if (!vif->netdev)
477 			continue;
478 
479 		mutex_lock(&vif->wdev.mtx);
480 		cfg80211_ch_switch_notify(vif->netdev, &chandef);
481 		mutex_unlock(&vif->wdev.mtx);
482 	}
483 
484 	return 0;
485 }
486 
487 static int qtnf_event_handle_radar(struct qtnf_vif *vif,
488 				   const struct qlink_event_radar *ev,
489 				   u16 len)
490 {
491 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
492 	struct cfg80211_chan_def chandef;
493 
494 	if (len < sizeof(*ev)) {
495 		pr_err("MAC%u: payload is too short\n", vif->mac->macid);
496 		return -EINVAL;
497 	}
498 
499 	if (!wiphy->registered || !vif->netdev)
500 		return 0;
501 
502 	qlink_chandef_q2cfg(wiphy, &ev->chan, &chandef);
503 
504 	if (!cfg80211_chandef_valid(&chandef)) {
505 		pr_err("MAC%u: bad channel f1=%u f2=%u bw=%u\n",
506 		       vif->mac->macid,
507 		       chandef.center_freq1, chandef.center_freq2,
508 		       chandef.width);
509 		return -EINVAL;
510 	}
511 
512 	pr_info("%s: radar event=%u f1=%u f2=%u bw=%u\n",
513 		vif->netdev->name, ev->event,
514 		chandef.center_freq1, chandef.center_freq2,
515 		chandef.width);
516 
517 	switch (ev->event) {
518 	case QLINK_RADAR_DETECTED:
519 		cfg80211_radar_event(wiphy, &chandef, GFP_KERNEL);
520 		break;
521 	case QLINK_RADAR_CAC_FINISHED:
522 		if (!vif->wdev.cac_started)
523 			break;
524 
525 		cfg80211_cac_event(vif->netdev, &chandef,
526 				   NL80211_RADAR_CAC_FINISHED, GFP_KERNEL);
527 		break;
528 	case QLINK_RADAR_CAC_ABORTED:
529 		if (!vif->wdev.cac_started)
530 			break;
531 
532 		cfg80211_cac_event(vif->netdev, &chandef,
533 				   NL80211_RADAR_CAC_ABORTED, GFP_KERNEL);
534 		break;
535 	case QLINK_RADAR_CAC_STARTED:
536 		if (vif->wdev.cac_started)
537 			break;
538 
539 		if (!wiphy_ext_feature_isset(wiphy,
540 					     NL80211_EXT_FEATURE_DFS_OFFLOAD))
541 			break;
542 
543 		cfg80211_cac_event(vif->netdev, &chandef,
544 				   NL80211_RADAR_CAC_STARTED, GFP_KERNEL);
545 		break;
546 	default:
547 		pr_warn("%s: unhandled radar event %u\n",
548 			vif->netdev->name, ev->event);
549 		break;
550 	}
551 
552 	return 0;
553 }
554 
555 static int
556 qtnf_event_handle_external_auth(struct qtnf_vif *vif,
557 				const struct qlink_event_external_auth *ev,
558 				u16 len)
559 {
560 	struct cfg80211_external_auth_params auth = {0};
561 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
562 	int ret;
563 
564 	if (len < sizeof(*ev)) {
565 		pr_err("MAC%u: payload is too short\n", vif->mac->macid);
566 		return -EINVAL;
567 	}
568 
569 	if (!wiphy->registered || !vif->netdev)
570 		return 0;
571 
572 	if (ev->ssid_len) {
573 		int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
574 
575 		memcpy(auth.ssid.ssid, ev->ssid, len);
576 		auth.ssid.ssid_len = len;
577 	}
578 
579 	auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
580 	ether_addr_copy(auth.bssid, ev->bssid);
581 	auth.action = ev->action;
582 
583 	pr_debug("%s: external SAE processing: bss=%pM action=%u akm=%u\n",
584 		 vif->netdev->name, auth.bssid, auth.action,
585 		 auth.key_mgmt_suite);
586 
587 	ret = cfg80211_external_auth_request(vif->netdev, &auth, GFP_KERNEL);
588 	if (ret)
589 		pr_warn("failed to offload external auth request\n");
590 
591 	return ret;
592 }
593 
594 static int
595 qtnf_event_handle_mic_failure(struct qtnf_vif *vif,
596 			      const struct qlink_event_mic_failure *mic_ev,
597 			      u16 len)
598 {
599 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
600 	u8 pairwise;
601 
602 	if (len < sizeof(*mic_ev)) {
603 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
604 		       vif->mac->macid, vif->vifid, len,
605 		       sizeof(struct qlink_event_mic_failure));
606 		return -EINVAL;
607 	}
608 
609 	if (!wiphy->registered || !vif->netdev)
610 		return 0;
611 
612 	if (vif->wdev.iftype != NL80211_IFTYPE_STATION) {
613 		pr_err("VIF%u.%u: MIC_FAILURE event when not in STA mode\n",
614 		       vif->mac->macid, vif->vifid);
615 		return -EPROTO;
616 	}
617 
618 	pairwise = mic_ev->pairwise ?
619 		NL80211_KEYTYPE_PAIRWISE : NL80211_KEYTYPE_GROUP;
620 
621 	pr_info("%s: MIC error: src=%pM key_index=%u pairwise=%u\n",
622 		vif->netdev->name, mic_ev->src, mic_ev->key_index, pairwise);
623 
624 	cfg80211_michael_mic_failure(vif->netdev, mic_ev->src, pairwise,
625 				     mic_ev->key_index, NULL, GFP_KERNEL);
626 
627 	return 0;
628 }
629 
630 static int
631 qtnf_event_handle_update_owe(struct qtnf_vif *vif,
632 			     const struct qlink_event_update_owe *owe_ev,
633 			     u16 len)
634 {
635 	struct wiphy *wiphy = priv_to_wiphy(vif->mac);
636 	struct cfg80211_update_owe_info owe_info = {};
637 	const u16 ie_len = len - sizeof(*owe_ev);
638 	u8 *ie;
639 
640 	if (len < sizeof(*owe_ev)) {
641 		pr_err("VIF%u.%u: payload is too short (%u < %zu)\n",
642 		       vif->mac->macid, vif->vifid, len,
643 		       sizeof(struct qlink_event_update_owe));
644 		return -EINVAL;
645 	}
646 
647 	if (!wiphy->registered || !vif->netdev)
648 		return 0;
649 
650 	if (vif->wdev.iftype != NL80211_IFTYPE_AP) {
651 		pr_err("VIF%u.%u: UPDATE_OWE event when not in AP mode\n",
652 		       vif->mac->macid, vif->vifid);
653 		return -EPROTO;
654 	}
655 
656 	ie = kzalloc(ie_len, GFP_KERNEL);
657 	if (!ie)
658 		return -ENOMEM;
659 
660 	memcpy(owe_info.peer, owe_ev->peer, ETH_ALEN);
661 	memcpy(ie, owe_ev->ies, ie_len);
662 	owe_info.ie_len = ie_len;
663 	owe_info.ie = ie;
664 
665 	pr_info("%s: external OWE processing: peer=%pM\n",
666 		vif->netdev->name, owe_ev->peer);
667 
668 	cfg80211_update_owe_info_event(vif->netdev, &owe_info, GFP_KERNEL);
669 	kfree(ie);
670 
671 	return 0;
672 }
673 
674 static int qtnf_event_parse(struct qtnf_wmac *mac,
675 			    const struct sk_buff *event_skb)
676 {
677 	const struct qlink_event *event;
678 	struct qtnf_vif *vif = NULL;
679 	int ret = -1;
680 	u16 event_id;
681 	u16 event_len;
682 	u8 vifid;
683 
684 	event = (const struct qlink_event *)event_skb->data;
685 	event_id = le16_to_cpu(event->event_id);
686 	event_len = le16_to_cpu(event->mhdr.len);
687 
688 	if (event->vifid >= QTNF_MAX_INTF) {
689 		pr_err("invalid vif(%u)\n", event->vifid);
690 		return -EINVAL;
691 	}
692 
693 	vifid = array_index_nospec(event->vifid, QTNF_MAX_INTF);
694 	vif = &mac->iflist[vifid];
695 
696 	switch (event_id) {
697 	case QLINK_EVENT_STA_ASSOCIATED:
698 		ret = qtnf_event_handle_sta_assoc(mac, vif, (const void *)event,
699 						  event_len);
700 		break;
701 	case QLINK_EVENT_STA_DEAUTH:
702 		ret = qtnf_event_handle_sta_deauth(mac, vif,
703 						   (const void *)event,
704 						   event_len);
705 		break;
706 	case QLINK_EVENT_MGMT_RECEIVED:
707 		ret = qtnf_event_handle_mgmt_received(vif, (const void *)event,
708 						      event_len);
709 		break;
710 	case QLINK_EVENT_SCAN_RESULTS:
711 		ret = qtnf_event_handle_scan_results(vif, (const void *)event,
712 						     event_len);
713 		break;
714 	case QLINK_EVENT_SCAN_COMPLETE:
715 		ret = qtnf_event_handle_scan_complete(mac, (const void *)event,
716 						      event_len);
717 		break;
718 	case QLINK_EVENT_BSS_JOIN:
719 		ret = qtnf_event_handle_bss_join(vif, (const void *)event,
720 						 event_len);
721 		break;
722 	case QLINK_EVENT_BSS_LEAVE:
723 		ret = qtnf_event_handle_bss_leave(vif, (const void *)event,
724 						  event_len);
725 		break;
726 	case QLINK_EVENT_FREQ_CHANGE:
727 		ret = qtnf_event_handle_freq_change(mac, (const void *)event,
728 						    event_len);
729 		break;
730 	case QLINK_EVENT_RADAR:
731 		ret = qtnf_event_handle_radar(vif, (const void *)event,
732 					      event_len);
733 		break;
734 	case QLINK_EVENT_EXTERNAL_AUTH:
735 		ret = qtnf_event_handle_external_auth(vif, (const void *)event,
736 						      event_len);
737 		break;
738 	case QLINK_EVENT_MIC_FAILURE:
739 		ret = qtnf_event_handle_mic_failure(vif, (const void *)event,
740 						    event_len);
741 		break;
742 	case QLINK_EVENT_UPDATE_OWE:
743 		ret = qtnf_event_handle_update_owe(vif, (const void *)event,
744 						   event_len);
745 		break;
746 	default:
747 		pr_warn("unknown event type: %x\n", event_id);
748 		break;
749 	}
750 
751 	return ret;
752 }
753 
754 static int qtnf_event_process_skb(struct qtnf_bus *bus,
755 				  const struct sk_buff *skb)
756 {
757 	const struct qlink_event *event;
758 	struct qtnf_wmac *mac;
759 	int res;
760 
761 	if (unlikely(!skb || skb->len < sizeof(*event))) {
762 		pr_err("invalid event buffer\n");
763 		return -EINVAL;
764 	}
765 
766 	event = (struct qlink_event *)skb->data;
767 
768 	mac = qtnf_core_get_mac(bus, event->macid);
769 
770 	pr_debug("new event id:%x len:%u mac:%u vif:%u\n",
771 		 le16_to_cpu(event->event_id), le16_to_cpu(event->mhdr.len),
772 		 event->macid, event->vifid);
773 
774 	if (unlikely(!mac))
775 		return -ENXIO;
776 
777 	rtnl_lock();
778 	res = qtnf_event_parse(mac, skb);
779 	rtnl_unlock();
780 
781 	return res;
782 }
783 
784 void qtnf_event_work_handler(struct work_struct *work)
785 {
786 	struct qtnf_bus *bus = container_of(work, struct qtnf_bus, event_work);
787 	struct sk_buff_head *event_queue = &bus->trans.event_queue;
788 	struct sk_buff *current_event_skb = skb_dequeue(event_queue);
789 
790 	while (current_event_skb) {
791 		qtnf_event_process_skb(bus, current_event_skb);
792 		dev_kfree_skb_any(current_event_skb);
793 		current_event_skb = skb_dequeue(event_queue);
794 	}
795 }
796